A Model for When Disclosure Helps Security Peter P. Swire Ohio State University Stanford Cybersecurity Conference November 22, 2003.

Slides:



Advertisements
Similar presentations
Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Advertisements

Security Market: Incentives for Disclosure of Vulnerabilities Peter P. Swire Ohio State University Houston/Sante Fe Conference June 4, 2005.
A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.
Better Security and Privacy for Home Broadband Peter P. Swire Moritz College of Law The Ohio State University Morrison & Foerster LLP Privacy 2002 Conference.
Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.
Free/Libre & Open Source Software and When Disclosure Helps Security Peter P. Swire Ohio State University Western Ontario: Free/Libre and Open Source Software.
Lessons for Biometrics from SSNs & Identity Fraud Peter P. Swire Ohio State University National Academy of Sciences March 15, 2005.
A New Framework for Protecting Consumers on the Internet Peter P. Swire Ohio State University & Center for American Progress Center for American Progress.
The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.
TUF: Securing Software Update Systems on GENI Justin Cappos Department of Computer Science and Engineering University of Washington.
Computer Security CIS326 Dr Rachel Shipsey.
National Disability conference 2010 Making Advocacy easy to access Judi strid Director of Advocacy.
Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
Black, White, Grey Hat Hackers Not all hackers are bad…which one’s which?
Is There a Security Problem in Computing? Network Security / G. Steffen1.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
By Ashlee Parton, Kimmy McCoy, & Labdhi Shah
VM: Chapter 5 Guiding Principles for Software Security.
Encryption and Globalization Professor Peter Swire IP Scholars Conference Chicago August 11, 2011.
Architecture Support for Security Peter Chapman Michael Maass.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.
Securing Nomads: The Case For Quarantine, Examination, Decontamination Kevin Eustice, Shane Markstrum, V. Ramakrishna, Dr. Peter Reiher, Dr. Leonard Kleinrock,
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.
Wireless Sensor Network Security Anuj Nagar CS 590.
Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.
1 ANTI VIRUS UPDATING. 2 Anti Virus Software: There are as many hackers today as there are software developers. Cyber crime has been recognized as needing.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
11 Canal Center Plaza, Alexandria, VA T F Enterprise Computing Conference (ECC) Workshop Alma R. Cole,
CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.
Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.
Jim Stikeleather Chief Innovation Officer November 22, 2010 Technical Exchange: Defending the Cloud in a Hostile Environment.
Session 7 LBSC 690 Information Technology Security.
INTRODUCTION UTUBUNTU Why use Ubuntu for desktops? Ubuntu is a Fast, Secure and Easy-to-use operating system used by millions of people around.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Legitimate Vulnerability Markets By: Jeff Wheeler.
Chapter 11 Message Authentication and Hash Functions.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
Mario Čagalj Sveučilište u Splitu 2014/15. Sigurnost računala i podataka.
Proprietary vs. Free/Open Source Software
Presented by Sharan Dhanala
Lecture 1 Page 1 CS 236 Online What Are Our Security Goals? CIA Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.
Cloud Computing, Business Users & Google Raju Gulabani Director of Product Management, Google Apps Feb 25, 09.
Lecture I : Internet Security Landscape Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University Fall 2005.
Computer Security By Duncan Hall.
Security Analysis of a Privacy-Preserving Decentralized Key-Policy Attribute-Based Encryption Scheme.
Zero Day Attacks Jason Kephart. Purpose The purpose of this presentation is to describe Zero-Day attacks, stress the danger they pose for computer security.
Denial of Service Attack Pornography Phising Spoofing Salami Attack Forgery Hackers: enjoy intellectual challenges of overcoming software limitations.
Information Management System Ali Saeed Khan 29 th April, 2016.
TUF: Secure Software Updates Justin Cappos NYU Poly Computer Science and Engineering.
Security in Opened versus Closed Systems – The Dance of Boltzmann, Coase and Moore Presented By Chad Frommeyer.
Privacy, Security, & Scam Defense When using Social Media, The Web, and even .
Understanding Threat Models for Embedded Devices Jake Edge LWN.net Embedded Linux Conference Europe October 28, 2010.
Port Knocking Benjamin DiYanni.
Security Is a Game Tiffany Bao
Understanding Threat Models for Embedded Devices
5.0 : Windows Operating System
Step up your cyber defence
How to Fix Windows 10 Update Error 0x ?.
Part 3.
Cybersecurity Am I concerned?
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
What Are Our Security Goals?
Code vulnerabilities Vulnerabilities are mistakes, errors or weaknesses in a piece of software’s source code that can be directly used by a hacker to perform.
WTF… About the unsecurity of IoT
Presentation transcript:

A Model for When Disclosure Helps Security Peter P. Swire Ohio State University Stanford Cybersecurity Conference November 22, 2003

The Paradox Open Source mantra: No Security Through Obscurity Open Source mantra: No Security Through Obscurity Secrecy does not work Secrecy does not work Military base and the location of the defensive machine guns Military base and the location of the defensive machine guns Secrecy as essential Secrecy as essential I am working on a book on What Should Still Be Secret – basic model today I am working on a book on What Should Still Be Secret – basic model today

Open Source & Disclosure Helps Defenders Presume that attackers will easily/quickly learn of flaws Presume that attackers will easily/quickly learn of flaws Disclosure does not help attackers (much) Disclosure does not help attackers (much) Writers of software learn of flaws and fix Writers of software learn of flaws and fix Users of software learn of patch and fix Users of software learn of patch and fix Disclosure does help the defenders Disclosure does help the defenders [I am not taking a position on proprietary v. Open Source – focus on when disclosure can improve security] [I am not taking a position on proprietary v. Open Source – focus on when disclosure can improve security]

Military Base & Disclosure Helps Attackers It is hard for attackers to get close enough to learn the physical defenses It is hard for attackers to get close enough to learn the physical defenses Disclosure thus helps attackers Disclosure thus helps attackers The defenders likely get little benefit from outside/peer review broadcast to all The defenders likely get little benefit from outside/peer review broadcast to all Disclosure provides little help to defenders Disclosure provides little help to defenders

Effects of Disclosure Low Help Attackers High Open Source Military/Intelligence Help Defenders Low High

Physical & Cyber Security Defend the buried pipeline Defend the buried pipeline Hard for attackers to learn the key vulnerable point Hard for attackers to learn the key vulnerable point Expensive to rebuild pipeline once in place Expensive to rebuild pipeline once in place Vulnerabilities often unique Vulnerabilities often unique Change the software Change the software Easy for attackers to do remote attacks & tell others of vulnerability (warez & hacker sites) Easy for attackers to do remote attacks & tell others of vulnerability (warez & hacker sites) Relatively inexpensive to patch & update Relatively inexpensive to patch & update Vulnerabilities often large scale/mass market Vulnerabilities often large scale/mass market

Effects of Disclosure Low Help Attackers High Open Source Physical facilities 1. Military/ Intel 2. Physical facilities Help Defenders Low High

Conclusion I am proposing a simple model for when disclosure helps security I am proposing a simple model for when disclosure helps security Disclosure helps defenders? Attackers? Disclosure helps defenders? Attackers? Explains reasons for less disclosure of vulnerabilities for military, intel, & physical Explains reasons for less disclosure of vulnerabilities for military, intel, & physical Explains reasons for greater disclosure for many software and computer system settings Explains reasons for greater disclosure for many software and computer system settings Other reasons to consider disclosure or not Other reasons to consider disclosure or not FOIA/accountability FOIA/accountability Privacy/confidentiality Privacy/confidentiality Have an intellectual framework for proceeding Have an intellectual framework for proceeding

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.